Barriers to HTTPS: Certificate Authorities

Until relatively recently, implementing HTTPS without subjecting users to browser warnings meant having to to pay a certificate authority (CA) to formally issue a certificate. With the cost of these certificates easily exceeding what many individuals would pay for domain registration and hosting, the likelihood of widespread adoption plummets. Lately SSL certificates have become much more affordable, and class 1 certificates could be obtained free of charge from StartCom provided you were willing to navigate their awkward interface and validation process.

Let’s Encrypt SSL Certificates and NginxClient Installation

Based on my initial experience with the Let’s Encrypt Client, it seems there is still a lot of work to be done in order to achieve the goal of validating, issuing, and installing certificates in 30 seconds. The client works well for validating and issuing certificates once you understand the assumptions made. The Nginx installer is flagged as under development, and within the client you are warned that it does not work yet. If you have a non-standard Nginx configuration, you may end up with a jumbled mess by using the installer. Let’s Encrypt recommends cloning the client repository to get started. You’ll need to install git if you don’t have it already.

From here you can run letsencrypt-auto, a wrapper that handles OS-specific dependencies in a Python virtual environment. Rather than running the command with sudo, run it with your normal permissions. It will prompt you when it needs additional permissions. By default, the server is set to the staging/testing URL, but in this example I’m using production. Including auth causes the client to obtain the certificate but not install it.

Production Client

Account Email

The client then starts to install dependencies and set up the environment. If all goes well, you’re asked for an email address for notices and key recovery. There didn’t seem to be any email validation when I used it, but I’d suggest using a real address. I’m assuming they’ll add some sort of validation in the future to deter abuse.

Terms of Service

Terms of Service

You’ll be prompted to review the Terms of Service. A link to the terms you’re agreeing to is added to your account metadata in /etc/letsencrypt/accounts/.

Specify Domains

Specify Domains

Since we’re not using an installer, you’re prompted to enter the domains you’d like to use by hand separated by commas or spaces. Domains can also be specified from the command in with -d DOMAIN.

Automation isn’t there yet

Let’s Encrypt strongly recommends using the letsencrypt-auto method, but as of version 0.0.0.dev20151030 (on Ubuntu 14.04.3 with Nginx 1.8.0), it requires a bit of manual intervention. After specifying your domains, Let’s Encrypt attempts to authenticate by using listening on port 80 which is almost certainly in use.

The program nginx (process ID 1196) is already listening on TCP port 80. This will prevent us from binding to that port. Please stop the nginx program temporarily and then try again.
…
At least one of the (possibly) required ports is already taken.

I’m sure this could fixed by editing the client settings or choosing a particular authenticator. But after digging through the GitHub issues for a while, it doesn’t seem like the creators know what the “right way” should be. Since these certificates are only good for three months, and the automated renewal process isn’t quite there given that this is beta, stopping Nginx temporarily isn’t a big deal this time if it means getting certificates issued.

This time the certificate was successfully created and placed in /etc/nginx/live/example.com/

IMPORTANT NOTES:
– Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/rudeotter.com/fullchain.pem. Your cert
will expire on 2016-01-31. To obtain a new version of the
certificate in the future, simply run Let’s Encrypt again.

For now, the Nginx server blocks can just be configured manually. Go ahead and restart Nginx.

sudo service nginx start

Let’s Encrypt placed symlinks to the certificate, chains, and private key in /etc/letsencrypt/live/rudeotter.com — cert.pem chain.pem fullchain.pem privkey.pem. These can be plugged directly into Nginx configuration.

Hi, thanks for your post.
I met the issue like following below:
Failed authorization procedure. myurl.com (http-01): urn:acme:error:connection :: The server could not connect to the client for DV :: DNS query timed out

What is DV and why DNS query timed out? I’m sure the DNS is fine. I have checked the DNS records from https://www.whatsmydns.net, all green.

I’m using Azure now. I have already open 80 & 443 for http & https. Do I need to open another ports?

Also, this post is referencing an older version of the beta client. It looks like this is now their suggested way to request using a standalone web server. They don’t appear to be suggesting the Nginx plugin or include it in letencrypt-auto../letsencrypt-auto certonly -a standalone -d example.com -d www.example.com

This is still in beta and is actively being developed so things will continue to change for a while.

Ivan Fedorov
on January 2, 2016 at 10:14 am

Hello. Thanks for the post, also great Nginx conf!

Is there a way to implement authority check without stopping Nginx? Can I implement that in my own app?

If you’re running a webserver that you don’t want to stop to use standalone, you can use the webroot plugin to obtain a cert by including certonly and –webroot on the command line. In addition, you’ll need to specify –webroot-path or -w with the root directory of the files served by your webserver. For example, –webroot-path /var/www/html or –webroot-path /usr/share/nginx/html are two common webroot paths.

I cant figure this out (and now I feel dumb). I am running nginx on ubuntu 14.04 I am just using default for my conf since I only have one IP going to domain. Unfortunately I propagated first to cloudflare, I was able to create my certs and key, however, when I add this to the default file nothing happens. I even changed cloud flare to strict.. Still nothing… Please help Ive spent two days on this and I simply cant figure it out

For newer versions of nginx (>1.9.x , e.g: Ubuntu nginx development ppa), it’s suggested to use “http2” instead of “spdy” in nginx configuration. With the word spdy it gave me error. Googling let me to use http2 word instead.